diff --git a/SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch b/SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch new file mode 100644 index 0000000..dc46ba5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch @@ -0,0 +1,29 @@ +From 172258291cea7100e89002203f3d9ae1bc468cd3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 21 Sep 2022 17:22:29 +0200 +Subject: [PATCH] add warning to sysctl_net_ipv4_conf_all_forwarding + +--- + .../sysctl_net_ipv4_conf_all_forwarding/rule.yml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +index 7b0066f7c29..20a778cdf9e 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +@@ -36,6 +36,15 @@ srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless th + + platform: machine + ++ ++warnings: ++ - general: |- ++ There might be cases when certain applications can systematically override this option. ++ One such case is {{{ weblink("https://libvirt.org/", "Libvirt") }}}; a toolkit for managing of virtualization platforms. ++ By default, Libvirt requires IP forwarding to be enabled to facilitate ++ network communication between the virtualization host and guest ++ machines. It enables IP forwarding after every reboot. ++ + template: + name: sysctl + vars: diff --git a/SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch b/SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch new file mode 100644 index 0000000..d535517 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch @@ -0,0 +1,26 @@ +From bd2128cdc6a657306b8c9644481346f0ab4411f6 Mon Sep 17 00:00:00 2001 +From: Edgar Aguilar +Date: Mon, 5 Sep 2022 11:07:33 -0500 +Subject: [PATCH] Update OVAL in openssh rule + +Update OVAL in harden_sshd_ciphers_opensshserver_conf_crypto_policy to +align it with generated conf by remediation + +Signed-off-by: Edgar Aguilar +--- + .../oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +index 53919eaae7f..21d4e716dbc 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +@@ -16,7 +16,7 @@ + + + {{{ PATH }}} +- ^(?!#).*(-oCiphers=\S+).*$ ++ ^(?!#).*(-oCiphers=[^\s']+).*$ + 1 + + diff --git a/SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch b/SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch new file mode 100644 index 0000000..6a425f4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch @@ -0,0 +1,472 @@ +From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Mon, 14 Nov 2022 15:46:12 +0100 +Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny + +Rules are stored in different places depending on the system version. +These changes are now explicit in ocil and fixtext. In RHEL8.6 it was +introduced the rules.d feature and together the fagenrules script which +reads and concatenate the rules from rules.d to finally save the result +in the /etc/fapolicyd/compiled.rules file. +--- + .../services/fapolicyd/fapolicy_default_deny/rule.yml | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +index 5b9a1649571..eeecd34e69a 100644 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +@@ -39,10 +39,14 @@ ocil: |- + + permissive = 0 + +- Check that fapolicyd employs a deny-all policy on system mounts with the following command: ++ Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + ++ For RHEL 8.5 systems and older: + $ sudo tail /etc/fapolicyd/fapolicyd.rules + ++ For RHEL 8.6 systems and newer: ++ $ sudo tail /etc/fapolicyd/compiled.rules ++ + allow exe=/usr/bin/python3.7 : ftype=text/x-python + deny_audit perm=any pattern=ld_so : all + deny perm=any all : all +@@ -54,8 +58,12 @@ fixtext: |- + + permissive = 1 + ++ For RHEL 8.5 systems and older: + Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". + ++ For RHEL 8.6 systems and newer: ++ Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all". ++ + Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. + + permissive = 0 + +From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 17 Nov 2022 09:40:20 +0100 +Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny + +Firsly the existing checks were aligned to the style guides and the +comments were reviewed. The regex used to identify the expected policy +was also fixed since it wasn't ensuring the deny policy if defined in a +wrong position. Finally, it was extended the assessment to consider the +/etc/fapolicyd/compiled.rules file. +--- + .../fapolicy_default_deny/oval/shared.xml | 64 +++++++++++++------ + 1 file changed, 43 insertions(+), 21 deletions(-) + +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml +index 9989459ad22..40bdcf870ca 100644 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml +@@ -4,36 +4,58 @@ + oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy") + }}} + +- +- ++ ++ ++ ++ ++ + + + +- +- ++ ++ + +- +- ++ ++ ++ /etc/fapolicyd/compiled.rules ++ ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z ++ 1 ++ ++ ++ ++ ++ ++ ++ + /etc/fapolicyd/fapolicyd.rules +- (^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$ ++ ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z + 1 + +- +- +- ++ ++ ++ ++ + +- ++ ++ + /etc/fapolicyd/fapolicyd.conf + ^\s*permissive\s*=\s*(\d+) +- 1 ++ 1 + +- +- 0 +- ++ ++ ++ 0 ++ + + +From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 17 Nov 2022 10:32:51 +0100 +Subject: [PATCH 3/5] Refactored the test scenario scripts + +The scripts were invalid and wrongly reporting results. The main issue +was in scripts which intended to create two lines in a file but were +overwriting the entire file in the second command instead of append the +second line. The scripts were also refactored to consider systems using +the rules.d feature and also older systems which doesn't have the +rules.d feature. Another issue was that "no_quotes" was false by default +in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect +quotes and this was causing inconsistency in the file, so the no_quotes +was set to true when calling the macro from test scenarios. Finally the +scripts names were better aligned to their respective scenarios. +--- + .../tests/allow_policy.fail.sh | 18 ++++++++++++++++++ + .../tests/commented_value.fail.sh | 12 ------------ + .../tests/correct_value.pass.sh | 12 ------------ + .../tests/deny_not_last.fail.sh | 12 ------------ + .../tests/deny_policy.pass.sh | 18 ++++++++++++++++++ + .../tests/deny_policy_but_permissive.fail.sh | 16 ++++++++++++++++ + .../tests/deny_policy_commented.fail.sh | 18 ++++++++++++++++++ + .../tests/deny_policy_not_ensured.fail.sh | 18 ++++++++++++++++++ + .../tests/fapolicy_permissive.fail.sh | 5 ----- + .../tests/wrong_value.fail.sh | 11 ----------- + 10 files changed, 88 insertions(+), 52 deletions(-) + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh + delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh + delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh + delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh + delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh + delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh +new file mode 100644 +index 00000000000..23d7e699056 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} ++ ++if [ -f /etc/fapolicyd/compiled.rules ]; then ++ active_rules_file="/etc/fapolicyd/compiled.rules" ++else ++ active_rules_file="/etc/fapolicyd/fapolicyd.rules" ++fi ++ ++truncate -s 0 $active_rules_file ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file ++echo "allow perm=any all : all" >> $active_rules_file ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh +deleted file mode 100644 +index a8df835af76..00000000000 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh ++++ /dev/null +@@ -1,12 +0,0 @@ +-#!/bin/bash +-# packages = fapolicyd +-# remediation = none +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} +- +-truncate -s 0 /etc/fapolicyd/fapolicyd.rules +- +-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules +-echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh +deleted file mode 100644 +index c88406b0be4..00000000000 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh ++++ /dev/null +@@ -1,12 +0,0 @@ +-#!/bin/bash +-# packages = fapolicyd +-# remediation = none +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} +- +-truncate -s 0 /etc/fapolicyd/fapolicyd.rules +- +-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules +-echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh +deleted file mode 100644 +index 59b16308563..00000000000 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh ++++ /dev/null +@@ -1,12 +0,0 @@ +-#!/bin/bash +-# packages = fapolicyd +-# remediation = none +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} +- +-truncate -s 0 /etc/fapolicyd/fapolicyd.rules +- +-echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules +-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh +new file mode 100644 +index 00000000000..f3ff83ca602 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} ++ ++if [ -f /etc/fapolicyd/compiled.rules ]; then ++ active_rules_file="/etc/fapolicyd/compiled.rules" ++else ++ active_rules_file="/etc/fapolicyd/fapolicyd.rules" ++fi ++ ++truncate -s 0 $active_rules_file ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file ++echo "deny perm=any all : all" >> $active_rules_file ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh +new file mode 100644 +index 00000000000..caa401ca174 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh +@@ -0,0 +1,16 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} ++ ++if [ -f /etc/fapolicyd/compiled.rules ]; then ++ active_rules_file="/etc/fapolicyd/compiled.rules" ++else ++ active_rules_file="/etc/fapolicyd/fapolicyd.rules" ++fi ++ ++truncate -s 0 $active_rules_file ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file ++echo "deny perm=any all : all" >> $active_rules_file +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh +new file mode 100644 +index 00000000000..4e4bc430cec +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} ++ ++if [ -f /etc/fapolicyd/compiled.rules ]; then ++ active_rules_file="/etc/fapolicyd/compiled.rules" ++else ++ active_rules_file="/etc/fapolicyd/fapolicyd.rules" ++fi ++ ++truncate -s 0 $active_rules_file ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file ++echo "# deny perm=any all : all" >> $active_rules_file ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh +new file mode 100644 +index 00000000000..b52e5446afc +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} ++ ++if [ -f /etc/fapolicyd/compiled.rules ]; then ++ active_rules_file="/etc/fapolicyd/compiled.rules" ++else ++ active_rules_file="/etc/fapolicyd/fapolicyd.rules" ++fi ++ ++truncate -s 0 $active_rules_file ++ ++echo "deny perm=any all : all" >> $active_rules_file ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh +deleted file mode 100644 +index 50756a0e7a3..00000000000 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh ++++ /dev/null +@@ -1,5 +0,0 @@ +-#!/bin/bash +-# packages = fapolicyd +-# remediation = none +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh +deleted file mode 100644 +index da3e33f57fd..00000000000 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh ++++ /dev/null +@@ -1,11 +0,0 @@ +-#!/bin/bash +-# packages = fapolicyd +-# remediation = none +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} +- +-truncate -s 0 /etc/fapolicyd/fapolicyd.rules +- +-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules +- +-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} + +From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 17 Nov 2022 11:02:34 +0100 +Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces + +Once the test scenario scripts were fixed, an issue was revelead in +bash_shell_file_set macro. The macro was not considering config files +which have spaces before and after the separator carachter. Since the +separator_regex parameter already expects regex format, it was easily +extended. +--- + shared/macros/10-bash.jinja | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja +index ae0f0e5e6ad..0e369314645 100644 +--- a/shared/macros/10-bash.jinja ++++ b/shared/macros/10-bash.jinja +@@ -122,13 +122,13 @@ fi + {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} + {{% if no_quotes -%}} + {{% if "$" in value %}} +- {{% set value = '%s' % value.replace("$", "\\$") %}} ++ {{% set value = '%s' % value.replace("$", "\\$") %}} + {{% endif %}} + {{%- else -%}} + {{% if "$" in value %}} +- {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}} ++ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}} + {{% else %}} +- {{% set value = "'%s'" % value %}} ++ {{% set value = "'%s'" % value %}} + {{% endif %}} + {{%- endif -%}} + {{{ set_config_file( +@@ -140,7 +140,7 @@ fi + insert_before="^#\s*" ~ parameter, + insensitive=false, + separator="=", +- separator_regex="=", ++ separator_regex="\s*=\s*", + prefix_regex="^\s*") + }}} + {{%- endmacro -%}} + +From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Fri, 18 Nov 2022 09:58:47 +0100 +Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text + +The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor +version text. +--- + .../guide/services/fapolicyd/fapolicy_default_deny/rule.yml | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +index eeecd34e69a..220801bc471 100644 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +@@ -41,10 +41,12 @@ ocil: |- + + Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + ++ {{%- if product in ["rhel8"] %}} + For RHEL 8.5 systems and older: + $ sudo tail /etc/fapolicyd/fapolicyd.rules + + For RHEL 8.6 systems and newer: ++ {{%- endif %}} + $ sudo tail /etc/fapolicyd/compiled.rules + + allow exe=/usr/bin/python3.7 : ftype=text/x-python +@@ -58,10 +60,12 @@ fixtext: |- + + permissive = 1 + ++ {{%- if product in ["rhel8"] %}} + For RHEL 8.5 systems and older: + Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". + + For RHEL 8.6 systems and newer: ++ {{%- endif %}} + Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all". + + Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. diff --git a/SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch b/SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch new file mode 100644 index 0000000..542cff4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch @@ -0,0 +1,41 @@ +From 7e2c7cc70acfdd71c64a8d9c0b6ea365a65ac1d5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Nov 2022 14:01:17 +0100 +Subject: [PATCH 2/2] accounts_password: Add tests for conflicting and + duplicate values + +Add tests for conflicting and duplicate values +--- + .../accounts_password/tests/conflicting_values.fail.sh | 8 ++++++++ + .../accounts_password/tests/duplicated_values.pass.sh | 7 +++++++ + 2 files changed, 15 insertions(+) + create mode 100644 shared/templates/accounts_password/tests/conflicting_values.fail.sh + create mode 100644 shared/templates/accounts_password/tests/duplicated_values.pass.sh + +diff --git a/shared/templates/accounts_password/tests/conflicting_values.fail.sh b/shared/templates/accounts_password/tests/conflicting_values.fail.sh +new file mode 100644 +index 00000000000..3517ff43083 +--- /dev/null ++++ b/shared/templates/accounts_password/tests/conflicting_values.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}} ++ ++truncate -s 0 /etc/security/pwquality.conf ++ ++echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf ++ ++echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf +diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh +new file mode 100644 +index 00000000000..e7b7f957d3d +--- /dev/null ++++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}} ++ ++truncate -s 0 /etc/security/pwquality.conf ++ ++echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf ++echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf diff --git a/SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch b/SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch new file mode 100644 index 0000000..bd588cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch @@ -0,0 +1,185 @@ +From 38edb566365afd64632ad12d532ccbafcb7b422b Mon Sep 17 00:00:00 2001 +From: Edgar Aguilar +Date: Thu, 28 Jul 2022 13:51:27 -0500 +Subject: [PATCH] Add OVAL to fapolicy_default_deny + +Add the rule fapolicy_default_deny to OL8 STIG profile, which covers +requirement OL08-00-040137. Include tests to validate OVAL + +Signed-off-by: Edgar Aguilar +--- + .../fapolicy_default_deny/oval/shared.xml | 39 +++++++++++++++++++ + .../fapolicyd/fapolicy_default_deny/rule.yml | 3 +- + .../tests/commented_value.fail.sh | 12 ++++++ + .../tests/correct_value.pass.sh | 12 ++++++ + .../tests/deny_not_last.fail.sh | 12 ++++++ + .../tests/fapolicy_permissive.fail.sh | 5 +++ + .../tests/wrong_value.fail.sh | 11 ++++++ + products/ol8/profiles/stig.profile | 1 + + 8 files changed, 94 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh + create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml +new file mode 100644 +index 00000000000..9989459ad22 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml +@@ -0,0 +1,39 @@ ++ ++ ++ {{{ ++ oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy") ++ }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/fapolicyd/fapolicyd.rules ++ (^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/fapolicyd/fapolicyd.conf ++ ^\s*permissive\s*=\s*(\d+) ++ 1 ++ ++ ++ 0 ++ ++ +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +index e6837e5d7bd..5b9a1649571 100644 +--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhel9 ++prodtype: ol8,ol9,rhel8,rhel9 + + title: 'Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.' + +@@ -25,6 +25,7 @@ references: + disa: CCI-001764 + nist: CM-7 (2),CM-7 (5) (b),CM-6 b + srg: SRG-OS-000368-GPOS-00154,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00232 ++ stigid@ol8: OL08-00-040137 + stigid@rhel8: RHEL-08-040137 + + ocil_clause: 'fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy' +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh +new file mode 100644 +index 00000000000..a8df835af76 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} ++ ++truncate -s 0 /etc/fapolicyd/fapolicyd.rules ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules ++echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..c88406b0be4 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} ++ ++truncate -s 0 /etc/fapolicyd/fapolicyd.rules ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules ++echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh +new file mode 100644 +index 00000000000..59b16308563 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} ++ ++truncate -s 0 /etc/fapolicyd/fapolicyd.rules ++ ++echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh +new file mode 100644 +index 00000000000..50756a0e7a3 +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..da3e33f57fd +--- /dev/null ++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# packages = fapolicyd ++# remediation = none ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} ++ ++truncate -s 0 /etc/fapolicyd/fapolicyd.rules ++ ++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules ++ ++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} +diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile +index 05f03d339e6..34a136b8489 100644 +--- a/products/ol8/profiles/stig.profile ++++ b/products/ol8/profiles/stig.profile +@@ -1069,6 +1069,7 @@ selections: + - service_fapolicyd_enabled + + # OL08-00-040137 ++ - fapolicy_default_deny + + # OL08-00-040139 + - package_usbguard_installed diff --git a/SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch b/SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch new file mode 100644 index 0000000..4803446 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch @@ -0,0 +1,61 @@ +From dc37d3c376cd3f2a2178d82a928629b231662cf9 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Fri, 11 Nov 2022 12:05:28 +0100 +Subject: [PATCH] Align service_disabled template to service_enabled + +--- + .../service_disabled/ansible.template | 32 +++++-------------- + 1 file changed, 8 insertions(+), 24 deletions(-) + +diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template +index 5c70756b8af..752f6ac5099 100644 +--- a/shared/templates/service_disabled/ansible.template ++++ b/shared/templates/service_disabled/ansible.template +@@ -3,39 +3,17 @@ + # strategy = disable + # complexity = low + # disruption = low +-{{%- if init_system == "systemd" %}} + - name: Disable service {{{ SERVICENAME }}} + block: ++ - name: Gather the package facts ++ package_facts: ++ manager: auto ++ + - name: Disable service {{{ SERVICENAME }}} +- systemd: +- name: "{{{ DAEMONNAME }}}.service" ++ service: ++ name: "{{{ DAEMONNAME }}}" + enabled: "no" + state: "stopped" + masked: "yes" +- ignore_errors: 'yes' +- +-- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" +- command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket +- args: +- warn: False +- register: socket_file_exists +- changed_when: False +- ignore_errors: True +- check_mode: False +- +-- name: Disable socket {{{ SERVICENAME }}} +- systemd: +- name: "{{{ DAEMONNAME }}}.socket" +- enabled: "no" +- state: "stopped" +- masked: "yes" +- when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]' +-{{% elif init_system == "upstart" %}} +-- name: Stop {{{ SERVICENAME }}} +- command: /sbin/service '{{{ DAEMONNAME }}}' stop +- +-- name: Switch off {{{ SERVICENAME }}} +- command: /sbin/chkconfig --level 0123456 '{{{ DAEMONNAME }}}' off +-{{%- else %}} +-JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}' +-{{%- endif %}} ++ when: ++ - '"{{{ PACKAGENAME }}}" in ansible_facts.packages' diff --git a/SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch b/SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch new file mode 100644 index 0000000..8764498 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch @@ -0,0 +1,217 @@ +From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Fri, 11 Nov 2022 12:27:11 +0100 +Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command + module + +--- + .../system/accounts/enable_authselect/ansible/shared.yml | 2 -- + .../audit_rules_privileged_commands/ansible/shared.yml | 2 -- + .../audit_rules_suid_privilege_function/ansible/shared.yml | 2 -- + .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 6 ------ + .../rpm_verify_ownership/ansible/shared.yml | 6 ------ + .../rpm_verify_permissions/ansible/shared.yml | 6 ------ + .../ensure_redhat_gpgkey_installed/ansible/shared.yml | 2 -- + 8 files changed, 28 deletions(-) + +diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml +index afd658790f7..6a7324a7a64 100644 +--- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml +@@ -17,8 +17,6 @@ + cmd: rpm -qV pam + register: result_altered_authselect + ignore_errors: yes +- args: +- warn: False + when: + - result_authselect_select is failed + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +index 68c8497c859..bb1fec9e2b8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +@@ -8,8 +8,6 @@ + shell: | + set -o pipefail + find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null +- args: +- warn: False + executable: /bin/bash + check_mode: no + register: find_result +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +index b25361136af..c46cbbe3950 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +@@ -49,8 +49,6 @@ + {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011 + - name: Reload Auditd + command: /usr/sbin/service auditd reload +- args: +- warn: false + {{%- endif %}} + when: + - (augenrules_audit_rules_privilege_function_update_result.changed or +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +index 0241e804b30..0d66cb349c0 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +@@ -22,8 +22,6 @@ + + - name: "Read files with incorrect hash" + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig +- args: +- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module + register: files_with_incorrect_hash + changed_when: False + failed_when: files_with_incorrect_hash.rc > 1 +@@ -32,8 +30,6 @@ + + - name: Create list of packages + command: rpm -qf "{{ item }}" +- args: +- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module + with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False +@@ -44,8 +40,6 @@ + + - name: "Reinstall packages of files with incorrect hash" + command: "{{ package_manager_reinstall_cmd }} '{{ item }}'" +- args: +- warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" + when: + - files_with_incorrect_hash.stdout_lines is defined +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +index ed490498a1d..f43b9bcef1c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +@@ -5,8 +5,6 @@ + # disruption = medium + - name: "Read list of files with incorrect ownership" + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode +- args: +- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module + register: files_with_incorrect_ownership + failed_when: files_with_incorrect_ownership.rc > 1 + changed_when: False +@@ -14,8 +12,6 @@ + + - name: Create list of packages + command: rpm -qf "{{ item }}" +- args: +- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module + with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False +@@ -24,7 +20,5 @@ + + - name: "Correct file ownership with RPM" + command: "rpm --quiet --setugids '{{ item }}'" +- args: +- warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" + when: (files_with_incorrect_ownership.stdout_lines | length > 0) +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +index 419ef95a323..0bd8e7e8ad5 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +@@ -5,8 +5,6 @@ + # disruption = medium + - name: "Read list of files with incorrect permissions" + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup +- args: +- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 + changed_when: False +@@ -14,8 +12,6 @@ + + - name: Create list of packages + command: rpm -qf "{{ item }}" +- args: +- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module + with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False +@@ -24,7 +20,5 @@ + + - name: "Correct file permissions with RPM" + command: "rpm --setperms '{{ item }}'" +- args: +- warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" + when: (files_with_incorrect_permissions.stdout_lines | length > 0) +diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +index f6f590820e1..6ab9bdee767 100644 +--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml ++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +@@ -18,8 +18,6 @@ + {{%- else -%}} + command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + {{%- endif %}} +- args: +- warn: False + changed_when: False + register: gpg_fingerprints + check_mode: no + +From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Tue, 15 Nov 2022 10:00:49 +0100 +Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations + +--- + .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +- + .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +index 0d66cb349c0..fd850def318 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +@@ -12,7 +12,7 @@ + - name: "Set fact: Package manager reinstall command (yum)" + set_fact: + package_manager_reinstall_cmd: yum reinstall -y +- when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") ++ when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux") + + - name: "Read files with incorrect hash" + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +index f43b9bcef1c..5c39628ff4c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +@@ -19,6 +19,6 @@ + when: (files_with_incorrect_ownership.stdout_lines | length > 0) + + - name: "Correct file ownership with RPM" +- command: "rpm --quiet --setugids '{{ item }}'" ++ command: "rpm --setugids '{{ item }}'" + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" + when: (files_with_incorrect_ownership.stdout_lines | length > 0) + +From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Tue, 15 Nov 2022 17:20:02 +0100 +Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on + all RHELs + +--- + .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +index fd850def318..178a7711a54 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +@@ -1,5 +1,5 @@ + # and the regex_findall does not filter out configuration files the same as bash remediation does +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = false + # strategy = restrict + # complexity = high diff --git a/SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch b/SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch new file mode 100644 index 0000000..d407b9f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch @@ -0,0 +1,50 @@ +From 8c6d618070476bd81edd0524c895a3497fc902a6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Nov 2022 17:48:55 +0100 +Subject: [PATCH] accounts_password_pam_retry: Add test for dupes and conflicts + +Add test scenarios to ensure that conflicting values are failing +and that duplicated rule are passing. +--- + .../tests/pwquality_conf_conflicting_values.fail.sh | 12 ++++++++++++ + .../tests/pwquality_conf_duplicate_values.pass.sh | 12 ++++++++++++ + 2 files changed, 24 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh +new file mode 100644 +index 00000000000..16bd1171a46 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# variables = var_password_pam_retry=3 ++ ++source common.sh ++ ++CONF_FILE="/etc/security/pwquality.conf" ++retry_cnt=3 ++ ++truncate -s 0 $CONF_FILE ++ ++echo "retry = 3" >> $CONF_FILE ++echo "retry = 4" >> $CONF_FILE +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh +new file mode 100644 +index 00000000000..da37627dbb3 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# variables = var_password_pam_retry=3 ++ ++source common.sh ++ ++CONF_FILE="/etc/security/pwquality.conf" ++retry_cnt=3 ++ ++truncate -s 0 $CONF_FILE ++ ++echo "retry = 3" >> $CONF_FILE ++echo "retry = 3" >> $CONF_FILE diff --git a/SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch b/SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch new file mode 100644 index 0000000..436af6a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch @@ -0,0 +1,81 @@ +From ddf34ef7c71b79ca12ccfcd00eada2c08c34d2c9 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 14 Nov 2022 17:16:53 +0100 +Subject: [PATCH 1/2] Revert "Align service_disabled template to + service_enabled" + +This reverts commit dc37d3c376cd3f2a2178d82a928629b231662cf9. +--- + .../service_disabled/ansible.template | 32 ++++++++++++++----- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template +index 752f6ac5099..5c70756b8af 100644 +--- a/shared/templates/service_disabled/ansible.template ++++ b/shared/templates/service_disabled/ansible.template +@@ -3,17 +3,33 @@ + # strategy = disable + # complexity = low + # disruption = low ++{{%- if init_system == "systemd" %}} + - name: Disable service {{{ SERVICENAME }}} + block: +- - name: Gather the package facts +- package_facts: +- manager: auto +- + - name: Disable service {{{ SERVICENAME }}} +- service: +- name: "{{{ DAEMONNAME }}}" ++ systemd: ++ name: "{{{ DAEMONNAME }}}.service" + enabled: "no" + state: "stopped" + masked: "yes" +- when: +- - '"{{{ PACKAGENAME }}}" in ansible_facts.packages' ++ ignore_errors: 'yes' ++ ++- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" ++ command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket ++ args: ++ warn: False ++ register: socket_file_exists ++ changed_when: False ++ ignore_errors: True ++ check_mode: False ++ ++- name: Disable socket {{{ SERVICENAME }}} ++ systemd: ++ name: "{{{ DAEMONNAME }}}.socket" ++ enabled: "no" ++ state: "stopped" ++ masked: "yes" ++ when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]' ++{{%- else %}} ++JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}' ++{{%- endif %}} + +From 8c20a2bc997c0a24eba2a9924d832954b9e91b6a Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 14 Nov 2022 17:37:50 +0100 +Subject: [PATCH 2/2] Make service_disabled template compatible with Ansible + 2.14 + +--- + shared/templates/service_disabled/ansible.template | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template +index 5c70756b8af..72678e050cf 100644 +--- a/shared/templates/service_disabled/ansible.template ++++ b/shared/templates/service_disabled/ansible.template +@@ -16,8 +16,6 @@ + + - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" + command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket +- args: +- warn: False + register: socket_file_exists + changed_when: False + ignore_errors: True diff --git a/SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch b/SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch new file mode 100644 index 0000000..cd6bf6d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch @@ -0,0 +1,1739 @@ +From 2f0f9914e94e2aaf614b530548d94354a8bcab2d Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 13 Oct 2022 18:59:06 +0200 +Subject: [PATCH 01/14] Improve rule descriptions for + firewalld_sshd_port_enabled + +It was also included the platform section since the scope of this rule +is only applicable to machines and not to containers. +--- + .../firewalld_sshd_port_enabled/rule.yml | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +index 77ba9d3cca4..9b96faf222d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +@@ -5,14 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 + title: 'Enable SSH Server firewalld Firewall Exception' + + description: |- +- By default, inbound connections to SSH's port are allowed. If +- the SSH server is being used but denied by the firewall, this exception should +- be added to the firewall configuration. ++ If the SSH server is in use, inbound connections to SSH's port should be allowed to permit ++ remote access through SSH. In more restrictive firewalld settings, the SSH port should be ++ added to the proper firewalld zone in order to allow SSH remote access. +

+ {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} + + rationale: |- +- If inbound SSH connections are expected, adding a firewall rule exception ++ If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone + will allow remote access through the SSH port. + + severity: medium +@@ -28,11 +28,23 @@ references: + nist: AC-17(a),CM-6(b),CM-7(a),CM-7(b) + srg: SRG-OS-000096-GPOS-00050 + +-ocil_clause: 'sshd service is disabled by firewall' ++platform: machine ++ ++ocil_clause: 'sshd service is not enabled in the proper firewalld zone' ++ + ocil: | + {{{ ocil_firewalld_allow_access(port="22", proto="tcp", service="ssh") }}} + + fixtext: |- +- Enable sshd in firewalld configuration. ++ Enable SSH service in firewalld configuration. + + {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} ++ ++warnings: ++ - general: |- ++ The remediation for this rule uses firewall-cmd and nmcli tools. ++ Therefore, it will only be executed if firewalld and NetworkManager ++ services are running. Otherwise, the remediation will be aborted and a informative message ++ will be shown in the remediation report. ++ These respective services will not be started in order to preserve any intentional change ++ in network components related to firewall and network interfaces. + +From 4e76d01001398948de8d1b085964bbb1ea68626c Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Fri, 14 Oct 2022 09:02:08 +0200 +Subject: [PATCH 02/14] Increase robustness of firewalld_sshd_port_enabled bash + remediation + +The remediation was not capable to properly treat some special cases, +like a system with multiple interfaces. It wasn't also capable to safely +configure the correct interface since it was assuming the NetworkManager +connection file was prefixed with the network interface name. In +addition, it is not stable to manually change firewalld XML files while +a proper command is present. This commit makes the remediation reliable +and assertive by using firewall-cmd and nmcli commands. +--- + .../bash/shared.sh | 76 +++++++++---------- + 1 file changed, 37 insertions(+), 39 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +index a328bee5c8a..e1b4f0fbd20 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +@@ -5,49 +5,47 @@ + # disruption = low + + {{{ bash_package_install("firewalld") }}} +- ++{{{ bash_package_install("NetworkManager") }}} + {{{ bash_instantiate_variables("firewalld_sshd_zone") }}} + +-{{% if product in ['rhel9'] %}} +- {{% set network_config_path = "/etc/NetworkManager/system-connections/${interface}.nmconnection" %}} +-{{% else %}} +- {{% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${interface}" %}} +-{{% endif %}} ++if firewall-cmd --state -q; then ++ # First make sure the SSH service is enabled in run-time for the proper zone. ++ # This is to avoid connection issues when new interfaces are addeded to this zone. ++ firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh + +-# This assumes that firewalld_sshd_zone is one of the pre-defined zones +-if [ ! -f "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" ]; then +- cp "/usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml" "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" +-fi +-if ! grep -q 'service name="ssh"' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"; then +- sed -i '/<\/description>/a \ +- ' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" +-fi ++ if systemctl is-active NetworkManager; then ++ # This will collect all NetworkManager connections names ++ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +-# Check if any eth interface is bounded to the zone with SSH service enabled +-nic_bound=false +-readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') +-for interface in "${eth_interface_list[@]}"; do +- if grep -qi "ZONE=$firewalld_sshd_zone" "{{{ network_config_path }}}"; then +- nic_bound=true +- break; +- fi +-done +- +-if [ $nic_bound = false ];then +- # Add first NIC to SSH enabled zone +- interface="${eth_interface_list[0]}" +- +- if ! firewall-cmd --state -q; then +- {{% if product in ['rhel9'] %}} +- {{{ bash_replace_or_append(network_config_path, '^zone=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}} +- {{% else %}} +- {{{ bash_replace_or_append(network_config_path, '^ZONE=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}} +- {{% endif %}} ++ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++ # This will not change connections which are already assigned to any firewalld zone. ++ for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone ++ fi ++ done ++ systemctl restart NetworkManager + else +- # If firewalld service is running, we need to do this step with firewall-cmd +- # Otherwise firewalld will communicate with NetworkManage and will revert assigned zone +- # of NetworkManager managed interfaces upon reload +- firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}" +- firewall-cmd --reload ++ echo " ++ NetworkManager service is not active. Remediation aborted! ++ This remediation could not be applied because it depends on NetworkManager service running. ++ The service is not started by this remediation in order to prevent connection issues." ++ exit 1 + fi ++ ++ # Active zones are zones with at least one interface assigned to it. ++ # It is possible that traffic is comming by any active interface and consequently any ++ # active zone. So, this make sure all active zones are permanently allowing SSH service. ++ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++ done ++ firewall-cmd --reload ++else ++ echo " ++ firewalld service is not active. Remediation aborted! ++ This remediation could not be applied because it depends on firewalld service running. ++ The service is not started by this remediation in order to prevent connection issues." ++ exit 1 + fi + +From a1fe2e8c34f8dbbaf573e6d6fa37b8e4fc63ad09 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Wed, 19 Oct 2022 13:19:46 +0200 +Subject: [PATCH 03/14] Include warning message regarging custom SSH port + +--- + .../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +index 9b96faf222d..d49a2af1d02 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +@@ -48,3 +48,10 @@ warnings: + will be shown in the remediation report. + These respective services will not be started in order to preserve any intentional change + in network components related to firewall and network interfaces. ++ - general: |- ++ This rule also checks if the SSH port was modified by the administrator and is reflecting ++ the expected port number. Although this is checked, fixing the custom ssh.xml file is not ++ in the scope of the remediation since there is no reliable way to manually change the ++ respective file. If the default SSH port is modified, it is on the administrator ++ responsibility to ensure the firewalld customizations in the service port level are ++ properly configured. + +From b7c665bd163acb0595438223e4ebaa6a34e674a0 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Fri, 14 Oct 2022 15:03:33 +0200 +Subject: [PATCH 04/14] Review test scenario scripts + +--- + .../tests/no_nic_in_ssh_zone.fail.sh | 7 +------ + .../firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh | 4 ---- + .../tests/ssh_zone_and_nic_mismatch.fail.sh | 4 ---- + .../tests/ssh_zone_nic_bounded.pass.sh | 3 --- + 4 files changed, 1 insertion(+), 17 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh +index 7ed0c21ed1e..21d7c0eafc4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh +@@ -1,9 +1,5 @@ + #!/bin/bash + # packages = firewalld +-# +-# remediation = none +- +-# ensure firewalld installed + + # Make sure there is a zone with ssh service enabled + firewall-cmd --permanent --zone=work --add-service=ssh +@@ -11,8 +7,7 @@ firewall-cmd --permanent --zone=work --add-service=ssh + all_zones=$(firewall-cmd --get-zones) + eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') + +-# Make sure NICs are bounded to no zone +-# Note: Interfaces managed by NetworkManager will be assigned to the default firewalld zone ++# Make sure all NICs are not bounded to any zone + for zone in $all_zones; do + for interface in $eth_interfaces; do + firewall-cmd --permanent --zone=$zone --remove-interface=$interface +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh +index 78918c9fee5..41fb83d9489 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh +@@ -1,9 +1,5 @@ + #!/bin/bash + # packages = firewalld +-# +-# remediation = none +- +-# ensure firewalld installed + + all_zones=$(firewall-cmd --get-zones) + for zone in $all_zones;do +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh +index fed30230588..ab05492f74d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh +@@ -1,9 +1,5 @@ + #!/bin/bash + # packages = firewalld +-# +-# remediation = none +- +-# ensure firewalld installed + + # Make sure there is only one zone with ssh service enabled + all_zones=$(firewall-cmd --get-zones) +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh +index f426236466f..eabc38e7248 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh +@@ -1,8 +1,5 @@ + #!/bin/bash + # packages = firewalld +-# +- +-# ensure firewalld installed + + firewall-cmd --permanent --zone=public --add-service=ssh + + +From 32a41b09b0b963e3fb681a5ea617e96383e2277c Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Wed, 19 Oct 2022 08:39:04 +0200 +Subject: [PATCH 05/14] Reinvent the test scenarios for + firewalld_sshd_port_enabled + +The test scenarios were aligned to the old remediation approach, making +them also incomplete and incapable to catch real cases. Once the +remediation was robust, test scenarios also need the same level of +robustness in order to ensure the rules is as much realistic as +possible. They are now covering cases with multiple interfaces and +multiple active zones. It is also covered custom SSH port. +--- + .../tests/customized_zone_configured.pass.sh | 37 +++++++++++++++++ + .../tests/customized_zone_without_ssh.fail.sh | 37 +++++++++++++++++ + .../tests/new_zone_configured.pass.sh | 39 ++++++++++++++++++ + .../tests/new_zone_without_ssh.fail.sh | 40 +++++++++++++++++++ + .../tests/no_nic_in_ssh_zone.fail.sh | 18 --------- + .../tests/no_ssh_zone.fail.sh | 10 ----- + .../tests/only_nics_configured.fail.sh | 35 ++++++++++++++++ + .../tests/only_zones_configured.fail.sh | 34 ++++++++++++++++ + .../tests/ssh_port_enabled.pass.sh | 5 --- + .../tests/ssh_zone_and_nic_mismatch.fail.sh | 25 ------------ + .../tests/ssh_zone_nic_bounded.pass.sh | 8 ---- + .../tests/zones_and_nics_configured.pass.sh | 34 ++++++++++++++++ + .../zones_and_nics_ok_no_custom_files.pass.sh | 39 ++++++++++++++++++ + .../zones_and_nics_ok_port_changed.pass.sh | 38 ++++++++++++++++++ + 14 files changed, 333 insertions(+), 66 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh + delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh + delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh + delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh + delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh + delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh +new file mode 100644 +index 00000000000..9bfd1737dc8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh +@@ -0,0 +1,37 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "work" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is ++# created in /etc/firewalld/zones. ++for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++ firewall-cmd --permanent --zone="$zone" --add-service=http ++done ++ ++firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh +new file mode 100644 +index 00000000000..f1d152c683e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh +@@ -0,0 +1,37 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "work" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++# It is to ensure a custom file is created in /etc/firewalld/zones. ++for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --remove-service=ssh ++ firewall-cmd --permanent --zone="$zone" --add-service=http ++done ++ ++# Do not reload, otherwise SSG Test suite will be locked out. ++#firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh +new file mode 100644 +index 00000000000..cb8849b3f9f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh +@@ -0,0 +1,39 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Create a custom zone ++custom_zone_name="custom" ++firewall-cmd --new-zone=$custom_zone_name --permanent ++firewall-cmd --reload ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=$custom_zone_name --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "$custom_zone_name" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++for zone in $firewalld_active_zones "$custom_zone_name"; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++done ++ ++firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh +new file mode 100644 +index 00000000000..5e0a6453df7 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh +@@ -0,0 +1,40 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Create a custom zone ++custom_zone_name="custom" ++firewall-cmd --new-zone=$custom_zone_name --permanent ++firewall-cmd --reload ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=$custom_zone_name --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "$custom_zone_name" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++for zone in $firewalld_active_zones "$custom_zone_name"; do ++ firewall-cmd --permanent --zone="$zone" --remove-service=ssh ++done ++ ++# Do not reload, otherwise SSG Test suite will be locked out. ++#firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh +deleted file mode 100644 +index 21d7c0eafc4..00000000000 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh ++++ /dev/null +@@ -1,18 +0,0 @@ +-#!/bin/bash +-# packages = firewalld +- +-# Make sure there is a zone with ssh service enabled +-firewall-cmd --permanent --zone=work --add-service=ssh +- +-all_zones=$(firewall-cmd --get-zones) +-eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') +- +-# Make sure all NICs are not bounded to any zone +-for zone in $all_zones; do +- for interface in $eth_interfaces; do +- firewall-cmd --permanent --zone=$zone --remove-interface=$interface +- done +-done +- +-# Do not reload, otherwise SSG Test suite will be locked out +-# firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh +deleted file mode 100644 +index 41fb83d9489..00000000000 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh ++++ /dev/null +@@ -1,10 +0,0 @@ +-#!/bin/bash +-# packages = firewalld +- +-all_zones=$(firewall-cmd --get-zones) +-for zone in $all_zones;do +- firewall-cmd --permanent --zone=$zone --remove-service=ssh +-done +- +-# Do not reload, otherwise SSG Test suite will be locked out +-# firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh +new file mode 100644 +index 00000000000..98525db2729 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh +@@ -0,0 +1,35 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "work" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --remove-service=ssh ++done ++ ++# Do not reload, otherwise SSG Test suite will be locked out. ++#firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh +new file mode 100644 +index 00000000000..e14d6c959dc +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh +@@ -0,0 +1,34 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is already assigned to a firewalld zone, removes the assignment. ++# This will not change connections which are not assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone != "--" ]; then ++ nmcli connection modify "$connection" connection.zone "" ++ fi ++done ++systemctl restart NetworkManager ++ ++readarray -t firewalld_all_zones < <(firewall-cmd --get-zones) ++ ++# Ensure all zones are permanently allowing SSH service. ++for zone in $firewalld_all_zones; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++done ++ ++# It is not a problem to reload the settings since all interfaces without an explicit assgined zone ++# will be automatically assigned to the default zone. ++firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh +deleted file mode 100644 +index c9959c40937..00000000000 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh ++++ /dev/null +@@ -1,5 +0,0 @@ +-#!/bin/bash +-# packages = firewalld +- +-firewall-cmd --add-port=22/tcp +-firewall-cmd --add-port=22/tcp --permanent +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh +deleted file mode 100644 +index ab05492f74d..00000000000 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh ++++ /dev/null +@@ -1,25 +0,0 @@ +-#!/bin/bash +-# packages = firewalld +- +-# Make sure there is only one zone with ssh service enabled +-all_zones=$(firewall-cmd --get-zones) +-for zone in $all_zones;do +- firewall-cmd --permanent --zone=$zone --remove-service=ssh +-done +-firewall-cmd --permanent --zone=work --add-service=ssh +- +-all_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1) +- +-# Make sure NICs are bounded to no zone +-for zone in $all_zones; do +- for interface in $all_interfaces; do +- firewall-cmd --permanent --zone=$zone --remove-interface=$interface +- done +-done +- +-eth_interfaces=$(echo "$all_interfaces" | grep -E '^(en|eth)') +-# Add interface to wrong zone +-firewall-cmd --permanent --zone=trusted --add-interface=${eth_interfaces[0]} +- +-# Do not reload, otherwise SSG Test suite will be locked out +-# firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh +deleted file mode 100644 +index eabc38e7248..00000000000 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh ++++ /dev/null +@@ -1,8 +0,0 @@ +-#!/bin/bash +-# packages = firewalld +- +-firewall-cmd --permanent --zone=public --add-service=ssh +- +-eth_interface=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') +- +-firewall-cmd --permanent --zone=public --add-interface=${eth_interface[0]} +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh +new file mode 100644 +index 00000000000..489fe6ae7e8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh +@@ -0,0 +1,34 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "work" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++done ++ ++firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh +new file mode 100644 +index 00000000000..c53fb99de78 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh +@@ -0,0 +1,39 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "work" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++done ++ ++# The work zone, used in this test scenario, allows ssh by default. Therefore, it is not expected ++# the previous command will create a respective file in /etc. However, it makes sure the /etc dir ++# is empty anyways. ++rm -f /etc/firewalld/zones/* ++ ++firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh +new file mode 100644 +index 00000000000..46c4ed5f4d7 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# packages = firewalld, NetworkManager ++# variables = firewalld_sshd_zone=work, sshd_listening_port=2222 ++ ++# Ensure the required services are started. ++systemctl start firewalld NetworkManager ++ ++# Ensure the SSH service is enabled in run-time for the proper zone. ++# This is to avoid connection issues when new interfaces are addeded to this zone. ++firewall-cmd --zone=work --add-service=ssh ++ ++# Collect all NetworkManager connections names. ++readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ ++# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++# This will not change connections which are already assigned to any firewalld zone. ++for connection in $nm_connections; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone "work" ++ fi ++done ++systemctl restart NetworkManager ++ ++# Active zones are zones with at least one interface assigned to it. ++readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) ++ ++# It is possible that traffic is comming by any active interface and consequently any ++# active zone. So, this make sure all active zones are permanently allowing SSH service. ++for zone in $firewalld_active_zones; do ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh ++done ++ ++cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ ++sed -i 's/port="22"/port="2222"/g' /etc/firewalld/services/ssh.xml ++ ++# Do not reload, otherwise SSG Test suite will be locked out. ++#firewall-cmd --reload + +From db26bb5efb0746c165e17294a7cde9c7e712cd85 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 13 Oct 2022 11:51:05 +0200 +Subject: [PATCH 06/14] Recreated OVAL assessment for + firewalld_sshd_port_enabled + +There are some corner cases involving possible realistic scenarios with +firewalld and NetworkManager. Based on the remediation refactoring, the +OVAL assessment was also reformulated to be more simple and much more +reliable. It is now checking firewalld packaged files and also custom +files respecting the proper order in case of custom files. +--- + .../oval/shared.xml | 312 ++++++++++++------ + 1 file changed, 206 insertions(+), 106 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index e944f938a59..e4c03c9aa4d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -1,109 +1,209 @@ + +- +- {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to +- the SSH port (22).") }}} +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- /etc/firewalld/services +- ^.*\.xml$ +- /service/service[@name='ssh'] +- +- +- +- +- +- +- +- /etc/firewalld/services +- ^.*\.xml$ +- <port.*port="(\d+)" +- 1 +- +- +- +- +- +- +- /etc/firewalld/zones +- ^.*\.xml$ +- /zone/service[@name='ssh'] +- +- +- +- +- +- +- +- /etc/firewalld/zones +- ^.*\.xml$ +- <port.*port="(\d+)" +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- /etc/firewalld/zones +- +- /zone/service[@name='ssh'] +- +- +- +- +- +- +- .xml +- +- +-{{% if product in ["fedora", "rhel9"] %}} +- +- /etc/NetworkManager/system-connections +- .*\.nmconnection +- ^zone=(.*)$ +- 1 +- +-{{% else %}} +- +- /etc/sysconfig/network-scripts +- ifcfg-.* +- ^ZONE=(.*)$ +- 1 +- +-{{% endif %}} +- +- +- +- +- +- ++ ++ {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to ++ the SSH service.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + ++ ++ ++ ++ ++ ++ ++ ++ var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% if product in ["fedora", "rhel9"] %}} ++ /etc/NetworkManager/system-connections ++ .*\.nmconnection ++ ^zone=(.*)$ ++ {{% else %}} ++ /etc/sysconfig/network-scripts ++ ifcfg-.* ++ ^ZONE=(.*)$ ++ {{% endif %}} ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% if product in ["fedora", "rhel9"] %}} ++ /etc/NetworkManager/system-connections ++ .*\.nmconnection ++ {{% else %}} ++ /etc/sysconfig/network-scripts ++ ifcfg-.* ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /usr/lib/firewalld/zones ++ ++ /zone/service[@name='ssh'] ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/firewalld/zones ++ ++ ++ ++ ++ ++ ^(dmz|external|home|internal|public|trusted|work)\.xml$ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ /zone/service[@name='ssh'] ++ ++ ++ ++ /zone/service[@name='ssh'] ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /usr/lib/firewalld/services/ssh.xml ++ /service/port[@port='22'] ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/firewalld/services/ssh.xml ++ <port.*port="(\d+)" ++ 1 ++ ++ ++ ++ ++ ++ ++ + + +From 84755e320f3f8fd73151c7d8e15370a1825b080d Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Wed, 19 Oct 2022 18:36:24 +0200 +Subject: [PATCH 07/14] Introduce new Ansible remediation + +The previous remediation, besides being disaligned to the previous bash +remediation, was also problematic. It was completly rewritten in this +commit in order to be aligned to the Bash remediation. It was also +enabled this Ansible remediation for all platforms, including RHEL9. +--- + .../ansible/shared.yml | 97 +++++++++++++++---- + 1 file changed, 79 insertions(+), 18 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +index 2553a4d2e57..fa7830761df 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +@@ -1,28 +1,89 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_all + # reboot = false + # complexity = low + # strategy = configure + # disruption = low + +-- name: Ensure firewalld is installed +- package: ++{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}} ++ ++- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed' ++ ansible.builtin.package: + name: "{{ item }}" + state: present + with_items: + - firewalld ++ - NetworkManager ++ ++- name: '{{{ rule_title }}} - Collect facts about system services' ++ ansible.builtin.service_facts: ++ register: result_services_states ++ ++- name: '{{{ rule_title }}} - Remediation is applicable if firewalld and NetworkManager services are running' ++ block: ++ - name: '{{{ rule_title }}} - Collect NetworkManager connections names' ++ ansible.builtin.shell: ++ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 ++ register: result_nmcli_cmd_connections_names ++ changed_when: false ++ ++ - name: '{{{ rule_title }}} - Collect NetworkManager connections zones' ++ ansible.builtin.shell: ++ cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print $2}' ++ register: result_nmcli_cmd_connections_zones ++ changed_when: false ++ with_items: ++ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" ++ ++ - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone' ++ ansible.builtin.command: ++ cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }} ++ register: result_nmcli_cmd_connections_assignment ++ with_together: ++ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" ++ - "{{ result_nmcli_cmd_connections_zones.results }}" ++ when: ++ - item.1.stdout == '--' ++ ++ - name: '{{{ rule_title }}} - Ensure NetworkManager connections changes are applied' ++ ansible.builtin.service: ++ name: NetworkManager ++ state: restarted ++ when: ++ - result_nmcli_cmd_connections_assignment is changed ++ ++ - name: '{{{ rule_title }}} - Collect firewalld active zones' ++ ansible.builtin.shell: ++ cmd: firewall-cmd --get-active-zones | grep -v interfaces ++ register: result_firewall_cmd_zones_names ++ changed_when: false ++ ++ - name: '{{{ rule_title }}} - Ensure firewalld zones allow SSH' ++ ansible.builtin.command: ++ cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh ++ register: result_nmcli_cmd_connections_assignment ++ changed_when: ++ - "'ALREADY_ENABLED' not in result_nmcli_cmd_connections_assignment.stderr" ++ with_items: ++ - "{{ result_firewall_cmd_zones_names.stdout_lines }}" ++ ++ - name: '{{{ rule_title }}} - Ensure firewalld changes are applied' ++ ansible.builtin.service: ++ name: firewalld ++ state: reloaded ++ when: ++ - result_nmcli_cmd_connections_assignment is changed ++ when: ++ - ansible_facts.services['firewalld.service'].state == 'running' ++ - ansible_facts.services['NetworkManager.service'].state == 'running' + +-{{{ ansible_instantiate_variables("sshd_listening_port") }}} +- +-- name: Enable SSHD in firewalld (custom port) +- firewalld: +- port: "{{ sshd_listening_port }}/tcp" +- permanent: yes +- state: enabled +- when: sshd_listening_port != 22 +- +-- name: Enable SSHD in firewalld (default port) +- firewalld: +- service: ssh +- permanent: yes +- state: enabled +- when: sshd_listening_port == 22 ++- name: '{{{ rule_title }}} - Informative message based on services states' ++ ansible.builtin.assert: ++ that: ++ - ansible_facts.services['firewalld.service'].state == 'running' ++ - ansible_facts.services['NetworkManager.service'].state == 'running' ++ fail_msg: ++ - firewalld and NetworkManager services are not active. Remediation aborted! ++ - This remediation could not be applied because it depends on firewalld and NetworkManager services running. ++ - The service is not started by this remediation in order to prevent connection issues. ++ success_msg: ++ - {{{ rule_title }}} remediation successfully executed + +From d4f81e27994e17049f448d8410b4a8cfb5a9bdd2 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 20 Oct 2022 08:37:03 +0200 +Subject: [PATCH 08/14] Fix loop over array in bash remediation + +--- + .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +index e1b4f0fbd20..afb89b7005a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +@@ -19,7 +19,7 @@ if firewall-cmd --state -q; then + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. +- for connection in $nm_connections; do ++ for connection in "${nm_connections[@]}"; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone +@@ -38,7 +38,7 @@ if firewall-cmd --state -q; then + # It is possible that traffic is comming by any active interface and consequently any + # active zone. So, this make sure all active zones are permanently allowing SSH service. + readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) +- for zone in $firewalld_active_zones; do ++ for zone in "${firewalld_active_zones[@]}"; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh + done + firewall-cmd --reload + +From 403c44d66e06d5463758ba70abdca967a4173f69 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 20 Oct 2022 10:49:20 +0200 +Subject: [PATCH 09/14] Trim nmcli connection names output + +The output from nmcli command was including leading spaces in the +connection names. This was causing the the subsequent nmcli command to +fail resulting in connections without a firewalld zone defined. +--- + .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 4 ++-- + .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +index fa7830761df..6098155469c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +@@ -22,7 +22,7 @@ + block: + - name: '{{{ rule_title }}} - Collect NetworkManager connections names' + ansible.builtin.shell: +- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 ++ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g' + register: result_nmcli_cmd_connections_names + changed_when: false + +@@ -36,7 +36,7 @@ + + - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone' + ansible.builtin.command: +- cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }} ++ cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone }} + register: result_nmcli_cmd_connections_assignment + with_together: + - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +index afb89b7005a..25e54f09477 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +@@ -15,7 +15,7 @@ if firewall-cmd --state -q; then + + if systemctl is-active NetworkManager; then + # This will collect all NetworkManager connections names +- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + +From df8cd2df8661a3fe9fb7d5b5b493a93e1f977654 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 20 Oct 2022 11:03:56 +0200 +Subject: [PATCH 10/14] Simplify the Bash remediation in alignment to Ansible + +--- + .../bash/shared.sh | 37 +++++++------------ + 1 file changed, 14 insertions(+), 23 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +index 25e54f09477..f883e614846 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +@@ -8,31 +8,22 @@ + {{{ bash_package_install("NetworkManager") }}} + {{{ bash_instantiate_variables("firewalld_sshd_zone") }}} + +-if firewall-cmd --state -q; then ++if systemctl is-active NetworkManager && systemctl is-active firewalld; then + # First make sure the SSH service is enabled in run-time for the proper zone. + # This is to avoid connection issues when new interfaces are addeded to this zone. + firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh + +- if systemctl is-active NetworkManager; then +- # This will collect all NetworkManager connections names +- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') +- +- # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +- # This will not change connections which are already assigned to any firewalld zone. +- for connection in "${nm_connections[@]}"; do +- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') +- if [ $current_zone = "--" ]; then +- nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone +- fi +- done +- systemctl restart NetworkManager +- else +- echo " +- NetworkManager service is not active. Remediation aborted! +- This remediation could not be applied because it depends on NetworkManager service running. +- The service is not started by this remediation in order to prevent connection issues." +- exit 1 +- fi ++ # This will collect all NetworkManager connections names ++ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') ++ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. ++ # This will not change connections which are already assigned to any firewalld zone. ++ for connection in "${nm_connections[@]}"; do ++ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') ++ if [ $current_zone = "--" ]; then ++ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone ++ fi ++ done ++ systemctl restart NetworkManager + + # Active zones are zones with at least one interface assigned to it. + # It is possible that traffic is comming by any active interface and consequently any +@@ -44,8 +35,8 @@ if firewall-cmd --state -q; then + firewall-cmd --reload + else + echo " +- firewalld service is not active. Remediation aborted! +- This remediation could not be applied because it depends on firewalld service running. ++ firewalld and NetworkManager services are not active. Remediation aborted! ++ This remediation could not be applied because it depends on firewalld and NetworkManager services running. + The service is not started by this remediation in order to prevent connection issues." + exit 1 + fi + +From 8642f416a9cdeb5f0bc06f44d17f845afe089ce6 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 20 Oct 2022 11:07:31 +0200 +Subject: [PATCH 11/14] Improve wording on warning about custom ssh.xml + +--- + .../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +index d49a2af1d02..7446a62379d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +@@ -49,9 +49,10 @@ warnings: + These respective services will not be started in order to preserve any intentional change + in network components related to firewall and network interfaces. + - general: |- +- This rule also checks if the SSH port was modified by the administrator and is reflecting +- the expected port number. Although this is checked, fixing the custom ssh.xml file is not +- in the scope of the remediation since there is no reliable way to manually change the +- respective file. If the default SSH port is modified, it is on the administrator ++ This rule also checks if the SSH port was modified by the administrator in the firewalld ++ services definitions and is reflecting the expected port number. Although this is checked, ++ fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it ++ is not in the scope of the remediation since there is no reliable way to manually change ++ the respective file. If the default SSH port is modified, it is on the administrator + responsibility to ensure the firewalld customizations in the service port level are + properly configured. + +From ab738103ab2c376dea88dcd797187adfbb07053f Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 20 Oct 2022 14:25:42 +0200 +Subject: [PATCH 12/14] Optimize test scenarios + +Some conditions were removed from test scenarios in order to make them +more resilient to test environment peculiarities. +--- + .../tests/customized_zone_configured.pass.sh | 4 ++-- + .../tests/customized_zone_without_ssh.fail.sh | 4 ++-- + .../tests/new_zone_configured.pass.sh | 7 ++----- + .../tests/new_zone_without_ssh.fail.sh | 7 ++----- + .../tests/only_nics_configured.fail.sh | 2 +- + .../tests/only_zones_configured.fail.sh | 7 ++----- + .../tests/zones_and_nics_configured.pass.sh | 2 +- + .../tests/zones_and_nics_ok_no_custom_files.pass.sh | 2 +- + .../tests/zones_and_nics_ok_port_changed.pass.sh | 2 +- + 9 files changed, 14 insertions(+), 23 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh +index 9bfd1737dc8..87e6871afb1 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh +@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. +@@ -30,8 +30,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep - + # Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is + # created in /etc/firewalld/zones. + for zone in $firewalld_active_zones; do +- firewall-cmd --permanent --zone="$zone" --add-service=ssh + firewall-cmd --permanent --zone="$zone" --add-service=http ++ firewall-cmd --permanent --zone="$zone" --add-service=ssh + done + + firewall-cmd --reload +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh +index f1d152c683e..383907d2cb7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh +@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. +@@ -29,8 +29,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep - + # active zone. So, this make sure all active zones are permanently allowing SSH service. + # It is to ensure a custom file is created in /etc/firewalld/zones. + for zone in $firewalld_active_zones; do +- firewall-cmd --permanent --zone="$zone" --remove-service=ssh + firewall-cmd --permanent --zone="$zone" --add-service=http ++ firewall-cmd --permanent --zone="$zone" --remove-service=ssh + done + + # Do not reload, otherwise SSG Test suite will be locked out. +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh +index cb8849b3f9f..9993e53788c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh +@@ -15,15 +15,12 @@ firewall-cmd --reload + firewall-cmd --zone=$custom_zone_name --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in $nm_connections; do +- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') +- if [ $current_zone = "--" ]; then +- nmcli connection modify "$connection" connection.zone "$custom_zone_name" +- fi ++ nmcli connection modify "$connection" connection.zone "$custom_zone_name" + done + systemctl restart NetworkManager + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh +index 5e0a6453df7..1301679b344 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh +@@ -15,15 +15,12 @@ firewall-cmd --reload + firewall-cmd --zone=$custom_zone_name --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in $nm_connections; do +- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') +- if [ $current_zone = "--" ]; then +- nmcli connection modify "$connection" connection.zone "$custom_zone_name" +- fi ++ nmcli connection modify "$connection" connection.zone "$custom_zone_name" + done + systemctl restart NetworkManager + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh +index 98525db2729..6552f3f4214 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh +@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh +index e14d6c959dc..72fc492e5bf 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh +@@ -10,15 +10,12 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is already assigned to a firewalld zone, removes the assignment. + # This will not change connections which are not assigned to any firewalld zone. + for connection in $nm_connections; do +- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') +- if [ $current_zone != "--" ]; then +- nmcli connection modify "$connection" connection.zone "" +- fi ++ nmcli connection modify "$connection" connection.zone "" + done + systemctl restart NetworkManager + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh +index 489fe6ae7e8..02c627e5d00 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh +@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh +index c53fb99de78..9b3aa7d203f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh +@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh +index 46c4ed5f4d7..3e27a0647b0 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh +@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager + firewall-cmd --zone=work --add-service=ssh + + # Collect all NetworkManager connections names. +-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) ++readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + +From a2a49e9e8330c12b73e1c3873974bcb9a41691d4 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Mon, 24 Oct 2022 17:04:41 +0200 +Subject: [PATCH 13/14] Remediation applicable to all NetworkManager + connections + +The remediation was initially consirering to set a firewalld zone only +to active NetworkManager connections. However, it is possible that a +system has more valid connection which are simply not in use at the +moment. These inactive connections can be used at some point and if this +happen, they will also be compliant with an explicit firewalld zone +assigned to them. This way it is indeeded ensured all connections have a +firewalld zone assigned. +--- + .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +- + .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +index 6098155469c..7b0bda3f10c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +@@ -22,7 +22,7 @@ + block: + - name: '{{{ rule_title }}} - Collect NetworkManager connections names' + ansible.builtin.shell: +- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g' ++ cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }' + register: result_nmcli_cmd_connections_names + changed_when: false + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +index f883e614846..76822bf01d8 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +@@ -14,7 +14,7 @@ if systemctl is-active NetworkManager && systemctl is-active firewalld; then + firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh + + # This will collect all NetworkManager connections names +- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') ++ readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in "${nm_connections[@]}"; do + +From 657c1cc0331b97ee37e7a2d44e50fab668c33ce1 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Tue, 25 Oct 2022 15:40:15 +0200 +Subject: [PATCH 14/14] Improve regex to detect ifcfg files + +On RHEL7 and probably other distros which rely on ifcfg files by +default, there is a ifcfg file for the loopback interface, which is out +of the scope in this rule and should be ignored. This commit also +improved the wording in a OVAL comment to make it more clear. +--- + .../oval/shared.xml | 22 ++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index e4c03c9aa4d..4adef2e53f5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -59,7 +59,7 @@ + ^zone=(.*)$ + {{% else %}} + /etc/sysconfig/network-scripts +- ifcfg-.* ++ ^ifcfg-(?!lo).* + ^ZONE=(.*)$ + {{% endif %}} + 1 +@@ -88,7 +88,7 @@ + .*\.nmconnection + {{% else %}} + /etc/sysconfig/network-scripts +- ifcfg-.* ++ ^ifcfg-(?!lo).* + {{% endif %}} + + +@@ -164,12 +164,14 @@ + + + +- ++ directory with a file with the same name. So, its necessary to ensure the file delivered ++ by the package, in the /usr/lib/firewalld/services directory, was not changed. However, ++ if the file is changed, there is necessary to ensure there is a customized service ++ properly configured by the administrator. --> + +@@ -182,9 +184,9 @@ + /service/port[@port='22'] + + +- ++ + diff --git a/SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch b/SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch new file mode 100644 index 0000000..f15f6f4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch @@ -0,0 +1,95 @@ +From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Mon, 14 Nov 2022 15:23:32 +0100 +Subject: [PATCH 2/4] Update remediation to skip .bash_profile file + +This file can have the umask content but for a different purpose than +this rule intention. It was ignored in order to avoid changing the bash +history. Ansible and Bash were updated. +--- + .../accounts_umask_interactive_users/ansible/shared.yml | 4 +++- + .../accounts_umask_interactive_users/bash/shared.sh | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml +index 67064ac4a3b..3586ae69cbe 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml +@@ -9,6 +9,8 @@ + cmd: | + for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do + for file in $(find $dir -maxdepth 1 -type f -name ".*"); do +- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file ++ if [ "$(basename $file)" != ".bash_history" ]; then ++ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file ++ fi + done + done +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh +index d5f803db313..f524ff01f9a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh +@@ -6,6 +6,8 @@ + + {{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}} + {{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}} +-sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file" ++if [ "$(basename $file)" != ".bash_history" ]; then ++ sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file" ++fi + {{%- endcall %}} + {{%- endcall %}} + +From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Mon, 14 Nov 2022 15:26:04 +0100 +Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment + +--- + .../tests/bash_history_ignored.pass.sh | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh +new file mode 100644 +index 00000000000..8eeffc233b2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++USER="cac_user" ++useradd -m $USER ++echo "umask 022" > /home/$USER/.bash_history + +From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Mon, 14 Nov 2022 15:27:26 +0100 +Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file + +This rule targets user files where the umask can be changed. It is not the +case for .bash_history. In addition, it should be avoided to change the +.bash_history file by this rule remediations. +--- + .../accounts_umask_interactive_users/oval/shared.xml | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml +index 42dbdbbae46..6f3eaa570d7 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml +@@ -29,8 +29,14 @@ + ^\..* + ^[\s]*umask\s* + 1 ++ state_accounts_umask_interactive_users_bash_history + + ++ ++ ^\.bash_history ++ ++ + + +Date: Tue, 8 Nov 2022 13:53:14 +0100 +Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1 + +Following update from V1R8, update the STIG profile to configure +ClientAliveCountMax to 1. + +This will timeout SSH connections when client alive messages are not +received within ClientAliveInterval seconds. +This serves the purpose of disconnecting sessions when the client has +become unresponsive. +--- + .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 + + .../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 - + products/rhel8/profiles/stig.profile | 4 ++-- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index bc8ee914565..df0681f3f3a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -55,6 +55,7 @@ references: + pcidss: Req-8.1.8 + srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 + stigid@ol7: OL07-00-040340 ++ stigid@rhel8: RHEL-08-010200 + stigid@sle12: SLES-12-030191 + stigid@ubuntu2004: UBTU-20-010036 + vmmsrg: SRG-OS-000480-VMM-002000 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +index 024cb687382..a02fa8f40db 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +@@ -54,7 +54,6 @@ references: + stigid@ol7: OL07-00-040340 + stigid@ol8: OL08-00-010200 + stigid@rhel7: RHEL-07-040340 +- stigid@rhel8: RHEL-08-010200 + stigid@sle12: SLES-12-030191 + stigid@sle15: SLES-15-010320 + vmmsrg: SRG-OS-000480-VMM-002000 +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 96dfbf6b203..d184957f28c 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -50,7 +50,7 @@ selections: + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 + - var_password_pam_minlen=15 +- # - var_sshd_set_keepalive=0 ++ - var_sshd_set_keepalive=1 + - sshd_approved_macs=stig + - sshd_approved_ciphers=stig + - sshd_idle_timeout_value=10_minutes +@@ -174,7 +174,7 @@ selections: + # they still need to be selected so it follows exactly what STIG + # states. + # RHEL-08-010200 +- - sshd_set_keepalive_0 ++ - sshd_set_keepalive + # RHEL-08-010201 + - sshd_set_idle_timeout + + +From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Nov 2022 14:06:42 +0100 +Subject: [PATCH 2/7] Change verbiage on keepalive rules + +Stop using the 'idle', that implies an idle user; And +start using unresponsive, which better describes the state of network. +--- + .../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++------- + .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++--- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index df0681f3f3a..7a27c134f1e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -7,14 +7,15 @@ description: |- + during a SSH session and waits for a response from the SSH client. + The option ClientAliveInterval configures timeout after + each ClientAliveCountMax message. If the SSH server does not +- receive a response from the client, then the connection is considered idle ++ receive a response from the client, then the connection is considered unresponsive + and terminated. + For SSH earlier than v8.2, a ClientAliveCountMax value of 0 +- causes an idle timeout precisely when the ClientAliveInterval is set. ++ causes a timeout precisely when the ClientAliveInterval is set. + Starting with v8.2, a value of 0 disables the timeout functionality + completely. If the option is set to a number greater than 0, then +- the idle session will be disconnected after +- ClientAliveInterval * ClientAliveCountMax seconds. ++ the session will be disconnected after ++ ClientAliveInterval * ClientAliveCountMax seconds without receiving ++ a keep alive message. + + rationale: |- + This ensures a user login will be terminated as soon as the ClientAliveInterval +@@ -70,8 +71,8 @@ ocil: |- + 
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
+ If properly configured, the output should be: + 
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
+- For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes an idle timeout precisely when ++ For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when + the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout + functionality completely. +- If the option is set to a number greater than 0, then the idle session will be disconnected after +- ClientAliveInterval * ClientAliveCountMax seconds. ++ If the option is set to a number greater than 0, then the session will be disconnected after ++ ClientAliveInterval * ClientAliveCountMax seconds witout receiving a keep alive message. +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +index a02fa8f40db..55011ab66a7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +@@ -10,10 +10,10 @@ description: |- + during a SSH session and waits for a response from the SSH client. + The option ClientAliveInterval configures timeout after + each ClientAliveCountMax message. If the SSH server does not +- receive a response from the client, then the connection is considered idle ++ receive a response from the client, then the connection is considered unresponsive + and terminated. + +- To ensure the SSH idle timeout occurs precisely when the ++ To ensure the SSH timeout occurs precisely when the + ClientAliveInterval is set, set the ClientAliveCountMax to + value of 0 in + {{{ sshd_config_file() }}} +@@ -73,7 +73,7 @@ ocil: |- + If properly configured, the output should be: + 
ClientAliveCountMax 0
+ +- In this case, the SSH idle timeout occurs precisely when ++ In this case, the SSH timeout occurs precisely when + the ClientAliveInterval is set. + + template: + +From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Nov 2022 14:27:50 +0100 +Subject: [PATCH 3/7] Add tests to check for configuration conflicts + +--- + .../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++ + .../tests/param_conflict_directory.fail.sh | 13 +++++++++++++ + 2 files changed, 24 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh +new file mode 100644 +index 00000000000..54441cbb5b6 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config ++echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh +new file mode 100644 +index 00000000000..aa6931cc243 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf ++echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf + +From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Nov 2022 17:09:16 +0100 +Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax + +The rule was only checking the first occurence of ClientAliveCountMax, +but we need to check that all and any occurrences of +ClientAliveCountMax are compliant. +--- + .../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml +index 5e07d982821..404c36c8dbc 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml +@@ -49,7 +49,7 @@ + + /etc/ssh/sshd_config + ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$ +- 1 ++ 1 + + {{%- if sshd_distributed_config == "true" %}} + +Date: Tue, 8 Nov 2022 17:40:26 +0100 +Subject: [PATCH 5/7] Add test to check for configuration conflicts + +Add test for non distributed ssh config conflicts for +ClientAliveInterval. +--- + .../tests/param_conflict.fail.sh | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh +new file mode 100644 +index 00000000000..1e14aa3da36 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config ++echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config ++echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config + +From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Nov 2022 17:41:19 +0100 +Subject: [PATCH 6/7] Change verbiage on idle timeout rule + +The config is not really about idle user timeout, the config is about +unresponsive network timeout. +--- + .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index aa085894f61..c5606aac557 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -1,12 +1,12 @@ + documentation_complete: true + +-title: 'Set SSH Idle Timeout Interval' ++title: 'Set SSH Client Alive Interval' + + description: |- +- SSH allows administrators to set an idle timeout interval. After this interval +- has passed, the idle user will be automatically logged out. ++ SSH allows administrators to set a network responsiveness timeout interval. ++ After this interval has passed, the unresponsive client will be automatically logged out. +

+- To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as ++ To set this timeout interval, edit the following line in /etc/ssh/sshd_config as + follows: + 
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}
+

+@@ -15,7 +15,7 @@ description: |- +

+ If a shorter timeout has already been set for the login shell, that value will + preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that +- some processes may stop SSH from correctly detecting that the user is idle. ++ some processes may stop SSH from correctly detecting that the user is idle. + + rationale: |- + Terminating an idle ssh session within a short time period reduces the window of +@@ -81,7 +81,7 @@ ocil: |- + + warnings: + - dependency: |- +- SSH disconnecting idle clients will not have desired effect without also ++ SSH disconnecting unresponsive clients will not have desired effect without also + configuring ClientAliveCountMax in the SSH service configuration. + - general: |- + Following conditions may prevent the SSH session to time out: + +From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 9 Nov 2022 11:31:50 +0100 +Subject: [PATCH 7/7] Update profile stability test data + +--- + tests/data/profile_stability/rhel8/stig.profile | 3 ++- + tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index cadc3f5fc7a..51971451996 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -371,7 +371,7 @@ selections: + - sshd_print_last_log + - sshd_rekey_limit + - sshd_set_idle_timeout +-- sshd_set_keepalive_0 ++- sshd_set_keepalive + - sshd_use_strong_rng + - sshd_x11_use_localhost + - sssd_certificate_verification +@@ -441,6 +441,7 @@ selections: + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 ++- var_sshd_set_keepalive=1 + - sshd_approved_macs=stig + - sshd_approved_ciphers=stig + - sshd_idle_timeout_value=10_minutes +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index bde4e18b068..fd150744167 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -381,7 +381,7 @@ selections: + - sshd_print_last_log + - sshd_rekey_limit + - sshd_set_idle_timeout +-- sshd_set_keepalive_0 ++- sshd_set_keepalive + - sshd_use_strong_rng + - sshd_x11_use_localhost + - sssd_certificate_verification +@@ -449,6 +449,7 @@ selections: + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 ++- var_sshd_set_keepalive=1 + - sshd_approved_macs=stig + - sshd_approved_ciphers=stig + - sshd_idle_timeout_value=10_minutes diff --git a/SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch b/SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch new file mode 100644 index 0000000..7069c5d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch @@ -0,0 +1,142 @@ +From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Nov 2022 10:13:16 +0100 +Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts + +--- + .../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++ + .../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++ + 2 files changed, 28 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh +new file mode 100644 +index 00000000000..0eb6aab6804 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++SSHD_PARAM="RekeyLimit" ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config ++echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh +new file mode 100644 +index 00000000000..bc254a3a57c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 ++ ++SSHD_PARAM="RekeyLimit" ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf ++echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf + +From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Nov 2022 10:32:35 +0100 +Subject: [PATCH 2/3] Separate the SSHD parameter from the value + +Separate the SSHD paramater RekeyLimit from the compliant values. +This makes it possible to collect all occurrences of RekeyLimit and +compare each of then with the compliant values. +--- + .../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +index b2dd9039200..38c8a84aa3f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +@@ -24,30 +24,36 @@ + + + ++ + + + + {{{ sshd_config_path }}} +- ++ ^[\s]*{{{ parameter }}}[\s]+(.*)$ + 1 + + + {{%- if sshd_distributed_config == "true" %}} + + ++ + + + + {{{ sshd_config_dir}}} + .*\.conf$ +- ++ ^[\s]*{{{ parameter }}}[\s]+(.*)$ + 1 + + {{%- endif %}} + ++ ++ ++ ++ + + +- ^[\s]*{{{ parameter }}}[\s]+ ++ ^ + + [\s]+ + + +From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Nov 2022 10:39:45 +0100 +Subject: [PATCH 3/3] Add test for duplicated SSHD parameter + +Ensure the rule still passes when a parameter is defined multiple times +but have the same value. +--- + .../tests/duplicated_param.pass.sh | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh +new file mode 100644 +index 00000000000..2e0d8145abd +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++SSHD_PARAM="RekeyLimit" ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config ++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config ++ diff --git a/SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch b/SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch new file mode 100644 index 0000000..6dbce06 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch @@ -0,0 +1,52 @@ +From 93b9ab4f532710a8c063d7a71cbbeee26be2470b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Nov 2022 18:01:17 +0100 +Subject: [PATCH] Add test for param conflicts for SSH compression + +--- + .../tests/param_conflict.fail.sh | 13 +++++++++++++ + .../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++ + 2 files changed, 28 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh +new file mode 100644 +index 00000000000..a631b3207bd +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++SSHD_PARAM="Compression" ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "${SSHD_PARAM} no" >> /etc/ssh/sshd_config ++echo "${SSHD_PARAM} yes" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh +new file mode 100644 +index 00000000000..f1c15c139c7 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 ++ ++SSHD_PARAM="Compression" ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++fi ++ ++echo "${SSHD_PARAM} no" > /etc/ssh/sshd_config.d/good_config.conf ++echo "${SSHD_PARAM} yes" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch b/SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch new file mode 100644 index 0000000..7059572 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch @@ -0,0 +1,202 @@ +From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Nov 2022 15:16:32 +0100 +Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d + +Sysctl options can also be defined in /usr/local/lib/sysctl.d/ +--- + .../tests/correct_value_usr_local_lib.pass.sh | 14 ++++++++++++++ + .../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++ + 2 files changed, 28 insertions(+) + create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh + create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh + +diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +new file mode 100644 +index 00000000000..3e366a9162f +--- /dev/null ++++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++{{% if SYSCTLVAL == "" %}} ++# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} ++{{% endif %}} ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf ++mkdir /usr/local/lib/sysctl.d/ ++echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" +diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +new file mode 100644 +index 00000000000..fee34ea272f +--- /dev/null ++++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++{{% if SYSCTLVAL == "" %}} ++# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} ++{{% endif %}} ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf ++mkdir /usr/local/lib/sysctl.d/ ++echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf ++ ++# Setting correct runtime value ++sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" + +From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Nov 2022 15:19:15 +0100 +Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs + +Update the template so that /usr/local/lib/sysctl.d is also checked for +sysctl onfigurations. +--- + shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index bbe646274f6..3fe6de1c185 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -138,6 +138,8 @@ + + {{% endif %}} ++ + + {{% if target_oval_version >= [5, 11] %}} + +@@ -181,6 +183,13 @@ + + {{% endif %}} + ++ ++ {{{ state_static_sysctld("usr_local_lib_sysctld") }}} ++ ++ + + + +@@ -190,7 +199,7 @@ + + + object_static_etc_sysctls_{{{ rule_id }}} +- object_static_run_usr_sysctls_{{{ rule_id }}} ++ object_static_run_usr_local_sysctls_{{{ rule_id }}} + + + +@@ -201,6 +210,13 @@ + + + ++ ++ ++ object_static_usr_local_lib_sysctld_{{{ rule_id }}} ++ object_static_run_usr_sysctls_{{{ rule_id }}} ++ ++ ++ + + + object_static_run_sysctld_{{{ rule_id }}} +@@ -227,6 +243,12 @@ + {{{ sysctl_match() }}} + + ++ ++ /usr/local/lib/sysctl.d ++ ^.*\.conf$ ++ {{{ sysctl_match() }}} ++ ++ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + + /usr/lib/sysctl.d + +From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Nov 2022 15:35:17 +0100 +Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations + +The Ansible remediation for some products were not aligned with the Bash +one. +--- + shared/templates/sysctl/ansible.template | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index edc4d3fb667..d67cdd2068c 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -9,12 +9,15 @@ + paths: + - "/etc/sysctl.d/" + - "/run/sysctl.d/" ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ - "/usr/lib/sysctl.d/" ++{{% endif %}} + contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' + patterns: "*.conf" + file_type: any + register: find_sysctl_d + +-- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files ++- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files + replace: + path: "{{ item.path }}" + regexp: '^[\s]*{{{ SYSCTLVAR }}}' + +From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Nov 2022 15:36:59 +0100 +Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d + +Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options +and comment them out. +--- + shared/templates/sysctl/ansible.template | 1 + + shared/templates/sysctl/bash.template | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index d67cdd2068c..3ac5d072fcf 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -9,6 +9,7 @@ + paths: + - "/etc/sysctl.d/" + - "/run/sysctl.d/" ++ - "/usr/local/lib/sysctl.d/" + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + - "/usr/lib/sysctl.d/" + {{% endif %}} +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 27935c33612..83f50a74a06 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -6,9 +6,9 @@ + + # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do ++for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do + {{% else %}} +-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do ++for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + {{% endif %}} + matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq ) + if ! test -z "$matching_list"; then diff --git a/SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch b/SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch new file mode 100644 index 0000000..e1bfb54 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch @@ -0,0 +1,6320 @@ +From 2de56fa60573836543387b250fdd94c19f055393 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Nov 2022 11:30:33 +0100 +Subject: [PATCH 1/4] Update DISA RHEL8 STIG manual benchmark to V1R8 + +--- + ... => disa-stig-rhel8-v1r8-xccdf-manual.xml} | 1021 +++++++++++------ + 1 file changed, 669 insertions(+), 352 deletions(-) + rename shared/references/{disa-stig-rhel8-v1r7-xccdf-manual.xml => disa-stig-rhel8-v1r8-xccdf-manual.xml} (87%) + +diff --git a/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r8-xccdf-manual.xml +similarity index 87% +rename from shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +rename to shared/references/disa-stig-rhel8-v1r8-xccdf-manual.xml +index a02819d3002..f92f552c3ba 100644 +--- a/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel8-v1r8-xccdf-manual.xml +@@ -1,28 +1,31 @@ +-acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 27 Jul 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>